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Abstract — Information  Centric  Networking  (ICN)  is  a  new 
network  architecture  that  aims  to  overcome  the  weakness  of 
existing  IP-hased  end-to-end  networking.  Instead  of  knowing  the 
IP  address  of  the  communicating  party,  ICN  focnses  on  the  data, 
i.e.  content,  transmitted  in  network.  Therefore,  how  to  locate  and 
access  the  desired  content  is  a  crucial  issue  in  ICN.  Some  existing 
solutions  aim  at  resolving  the  content  name  through  a  name 
resolution  service,  which  is  similar  to  the  DNS  services  of  Inter¬ 
net.  Other  solutions  are  based  on  route-hy-name  scheme,  which 
treats  content  names  similar  to  existing  routing  protocols  using 
IP  addresses.  Since  the  content  can  be  cached  in  various  data 
storage,  it  is  difficult  to  enforce  content  access  control  policies  on 
various  content  hosting  servers.  As  a  result,  using  Attribnte-Based 
Encryption  (ABE)  is  a  flexible  approach  to  enforce  the  content 
access  policies  regardless  the  security  mechanisms  provided  by 
different  content  hosting  servers.  However,  nsing  ABE  has  a 
drawback  that  the  enforced  content  access  policies  are  known 
to  all  the  ICN  users.  It  is  desirable  that  only  legitimated  content 
viewers  are  able  to  reveal  the  content  access  policies.  To  this  end, 
a  privacy-preserving  content  access  control  scheme  is  presented 
in  this  research  for  ICN.  The  presented  scheme  is  compatible 
with  existing  flat  name  based  ICN  architectnres. 

Index  Terms — privacy,  naming,  information  centric  network¬ 
ing,  access  control 

1.  Introduction 

In  the  current  Internet,  if  a  network  entity  wants  to  get  the 
access  to  some  content,  it  has  to  locate  and  connect  to  the 
content  hosting  server  based  on  Internet  routing  and  network¬ 
ing  protocols.  As  a  result,  the  content  is  associated  tightly 
with  the  location  of  the  server.  The  entire  network  is  centered 
around  connecting  the  content  consumers  to  the  content  owner. 
Information  such  as  connection  status  is  important  to  the 
success  of  networking. 

Witnessed  by  the  fact  that  the  connection-centered  network 
design  is  a  support  for  transferring  content  to  the  consumers, 
various  ICN  architectures  [1,  2,  3,  4,  5]  are  proposed.  In  ICN 
architecture,  the  focus  is  shifted  to  connecting  the  content 
consumers  with  the  content  itself.  Thus,  instead  of  identifying 
the  content  owner’s  address,  the  network  changes  to  identify 
the  authentic  content  copies.  Thus,  the  consumers  do  not  need 
to  know  where  the  content  locates,  i.e.  the  IP  address  of  the 
content  owner.  The  content  name  could  lead  them  to  a  copy 
of  the  content.  Content  owners  publishes  the  content,  which 
could  be  copied  and  stored  in  the  network  by  applying  network 
caches.  Network  caches  are  normally  storage  servers  or  could 
be  a  normal  network  entity.  The  purpose  of  this  design  is  to 


make  sure  that  the  content  could  be  delivered  to  the  consumer 
with  a  higher  efficiency.  Eor  example,  it  is  able  to  retrieve  the 
nearest  (according  to  some  metrics)  copy  of  the  content  to  the 
consumer.  In  contrast,  in  the  traditional  Internet  networking 
framework,  the  consumer  could  only  get  the  content  from  its 
owner. 

Though  the  design  is  efficient  in  retrieving  content  using 
ICN,  it  brings  great  challenges  to  the  security  issues  during 
content  caching  and  retrieving.  One  of  challenges  is  that  the 
end-to-end  communication  security  is  not  easy  to  support. 
This  is  because,  in  ICN,  the  consumer  cannot  predict,  from 
which  party  it  gets  the  content.  Traditional  content  access 
control  policies  cannot  be  easily  enforced  by  all  the  content 
hosting  servers  when  caching  the  content.  Therefore,  instead 
of  enforcing  the  data  access  control  on  each  content  hosting 
server,  a  natural  approach  is  to  secure  the  content  by  enforcing 
the  data  access  control  through  cryptographic  approaches,  i.e., 
encryption/decryption.  Only  legitimate  users  who  has  proper 
cryptographic  keys  can  access  and  then  reveal  the  data  content. 
Since  each  content  is  identified  by  the  name,  it  is  easy  for 
any  network  entity  to  access  the  content  as  long  as  the 
name  is  known.  To  enforce  access  control  onto  the  content, 
several  frameworks  such  as  [7]  have  been  proposed.  Most 
of  these  solutions  require  additional  authorities  in  network 
to  authenticate  each  content  consumer.  These  schemes  sound 
but  introducing  additional  network  components  and  complicate 
the  ICN  service  framework.  The  reason  why  it  is  difficult  to 
establish  an  access  control  scheme  in  ICN  systems  is  that  after 
the  content  is  published,  the  owner  does  not  have  control  on 
the  content  copies  any  more.  Copies  of  the  content  could  be 
scattered  around  the  network.  This  is  different  from  traditional 
network  where  the  owner  can  authenticate  the  consumer  before 
it  provides  the  content. 

To  address  the  data  access  control  problem  of  ICN,  we 
propose  a  new  content  protection  scheme  to  support  access 
control.  This  approach  is  inspired  by  Attribute  Based  Encryp¬ 
tion  (ABE)  schemes[9,  10,  11].  Instead  of  incorporating  a 
set  of  additional  components,  it  only  requires  one  additional 
trusted  third  party  (TTP)  in  the  network.  In  addition,  it 
could  be  seamlessly  incorporated  into  existing  flat-name  ICN 
architectures.  In  our  approach,  each  network  entity  is  assigned 
with  a  set  of  attributes  with  the  help  of  the  TTP  according 
to  their  real  identities  and  functional  attributes.  The  access 
control  policy  for  the  content  is  based  on  combinations  of  the 
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attributes  in  terms  of  AND  and  OR  operations.  This  policy 
is  enforced  according  to  the  content  names  instead  of  the 
contents.  Moreover,  the  presented  solution  revises  the  ABE 
scheme  by  hiding  the  access  policies  in  the  encryption.  As  a 
result,  the  privacy-preservation  is  provided  for  the  content  ac¬ 
cess  policies,  i.e.,  only  legitimated  content  viewers  can  reveal 
the  encryption  policies  and  then  decrypt  the  data  content.  This 
feature  can  greatly  improve  the  privacy  protection  on  ICN  data 
when  they  are  distributed  in  the  public  domain.  In  this  way,  a 
user  is  able  to  identify  its  eligibility  of  the  accessed  contents 
through  the  encrypted  names  before  actually  accessing  the  data 
content.  In  summary,  the  scheme  we  proposed  in  this  paper 
achieves  the  following  features: 

•  It  preserves  the  confidentiality  of  the  access  policy  of 
contents.  Ineligible  consumers  cannot  derive  the  data 
access  policies  even  if  they  collude  together; 

•  It  supports  any  combination  of  attributes  under  AND 
and  OR  operations  in  the  access  control  policies,  which 
make  it  very  flexible  to  construct  a  data  access  policies 
based  on  known  attributes.  As  a  result,  even  an  eligible 
consumer  may  not  know  the  full  data  access  policies  after 
a  successful  decryption  due  to  the  use  of  OR  gates  in  the 
encryption  policy  tree; 

•  It  significantly  reduces  the  computation  and  communi¬ 
cation  overhead  for  a  potential  consumer  to  determine 
whether  it  is  eligible  to  the  access  the  content; 

The  remainder  of  this  paper  is  organized  as  follows.  Section 
II  goes  through  the  related  work  on  ICN  and  its  security. 
Section  III  presents  the  system  models  and  preliminaries. 
Detailed  description  of  our  scheme  is  provided  in  Section  IV, 
and  its  performance  and  security  analysis  is  given  in  Section 
V.  We  conclude  this  paper  in  Section  VI. 

II.  Related  Work 

In  this  paper,  we  will  propose  an  ABE-based  scheme  to 
enforce  a  secure  access  control  mechanism  in  ICN  systems. 
Before  going  into  details  of  our  approach,  we  will  introduce 
research  results  on  ICN  and  ABE  respectively. 

A.  ICN  Solutions 

Several  network  architectures  have  been  built  in  the  past 
years.  These  approaches  are  different  from  each  other  in 
several  aspects  though  the  main  idea  is  centered  around 
information  process  and  management.  Among  them,  CBCB 
[1]  runs  on  the  application  layer.  It  uses  publish/subscribe 
scheme  to  publish  contents.  Each  consumer  broadcasts  its 
interest  in  the  form  of  attribute  combinations.  These  interests 
are  propogated  through  the  network.  At  each  router,  the 
interests  associated  with  an  interface  are  updated  in  the  form 
of  predicates.  Then  when  a  content  is  transfered  through  the 
network,  the  content  is  compared  with  the  predicates  on  every 
interface  to  determine  through  which  interfaces  to  forward  the 
content. 

DONA  [2]  is  an  ICN  project  that  is  deployed  above  IP  layer. 
It  aims  to  replace  the  name  resolution  system  in  network.  The 
name  of  a  content  is  in  the  form  of  P:L,  where  P  represents  the 


hash  of  the  owner’s  public  key,  L  is  a  unique  label  the  owner 
assigns  to  the  content.  The  owner  registers  the  content  into 
the  name  resolution  system  when  it  is  ready  to  publish.  The 
consumers  use  the  name  resolution  system  to  find  the  nearest 
copy  of  the  content.  The  system  will  return  with  the  content 
copy  or  the  IP  address  of  the  content  location.  Netinf  [4]  uses 
a  similar  naming  scheme  as  DONA.  But  instead  of  using  the 
owner’s  public  key  to  generate  the  digest,  it  uses  a  pair  of 
public/private  keys  for  each  content.  It  also  uses  multi-level 
Distributed  Hash  Table  (DHT)  for  name  resolution.  A  content 
owner  needs  to  register  its  content  in  all  the  three  levels  and 
content  lookup  is  carried  out  from  the  lowest  level  upwards.  If 
it  is  not  successful,  then  an  individual  resolution  system  will 
be  used.  PURSUIT  [5]  also  uses  a  similar  naming  scheme  as 
DONA.  But  it  has  a  much  different  structure  for  retrieving 
the  content  location  which  involves  topology  information  and 
load  balance.  Besides,  it  uses  Bloom  filter  for  source  oriented 
routing  to  forward  the  content  to  its  consumer. 

Unlike  the  above  solutions,  NDN  [3]  uses  human-friendly 
names  instead  of  flat  names.  A  name  in  NDN  consists  of 
multiple  components,  each  of  which  is  a  human-readable 
string.  It  also  contains  a  digest  of  the  content.  This  solution 
uses  the  name  to  execute  a  routing  process  that  is  similar  to 
the  current  IP-based  routing.  Tables  similar  to  route  tables 
maintain  the  prefix  of  names  and  the  corresponding  interfaces 
or  data.  In  this  way,  a  response  to  a  content  request  could 
be  the  content  itself.  Also,  this  solution  aims  to  provide  a 
replacement  to  IP  instead  of  being  a  layer  above  IP,  which  is 
different  from  above  approaches. 

All  these  ICN  methods  focus  on  the  efficiency  and  security 
aspects  of  the  network  while  access  control  to  the  content  and 
content  privacy  are  not  well  studied.  In  [7],  an  independent 
access  control  system  is  introduced  to  support  the  need  in 
ICN.  This  system  connects  to  the  ICN  structure  through  a 
component  called  the  Relaying  Party  (RP).  An  additional  com¬ 
ponent  called  Access  Control  Provider  (ACP)  is  in  charge  of 
helping  content  owners  create  access  policies  and  enforcing  the 
policies  to  consumers’  credentials.  This  system  incorporates 
access  control  into  ICN  systems  but  requires  more  network 
interactions  for  a  consumer  to  get  the  content.  Eor  protecting 
content  privacy  purposes,  [12]  proposes  a  design  in  which  each 
file  is  divided  into  blocks.  Two  or  more  blocks  are  mixed  to 
form  a  chunk.  A  block  from  the  file  is  mixed  with  blocks 
from  "cover"  content  using  randomizing  transformations  and 
the  results  are  published  to  the  network  so  that  the  adversary 
could  not  retrieve  the  original  file  easily.  To  recover  the  file, 
an  authentic  consumer  needs  to  get  more  information  related 
to  the  file  from  a  secure  channel.  With  such  information,  the 
consumer  requrests  related  chunks  from  the  network.  But  the 
requirement  of  a  secure  channel  is  not  quite  realistic  in  many 
application  scenarios. 

B.  ABE  Schemes 

ABE  schemes  are  originated  from  Identity-Based  Encryp¬ 
tion  (IBE)  which  aims  to  use  the  user’s  id  as  the  public 
key  for  asymmetric  encryptions.  After  that,  an  ABE  scheme 
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named  Ciphertext-Policy  ABE  (CP-ABE)  [9]  is  introduced  by 
J.  Bethencourt  et  al.  This  scheme  assigns  each  user  with  a  set 
of  attributes  according  to  their  real  life  roles  and  identities. 
There  is  one  private  key  corresponding  to  each  attribute.  A 
policy  specifying  under  what  condition  the  ciphertext  could 
be  successfully  decrypted  is  constructed  by  the  encryptor.  This 
policy  is  attached  with  ciphertext  in  plaintext.  Users  who  do 
not  possess  a  satisfactory  combination  of  attributes  are  not 
able  to  decrypt  the  ciphertext.  This  scheme  enables  providing 
access  control  to  individual  messages.  A  message  sender  (or  a 
content  owner  in  ICN  context)  is  able  to  specify  the  required 
attribute  combinations  without  having  to  know  the  receivers’ 
keys.  In  addition  to  this  feature,  this  scheme  can  defend  against 
colluding  attackers. 

The  reason  why  CP-ABE  is  not  suitable  for  ICN  usage 
is  that  the  policy  is  transmitted  in  clear  text.  In  this  way, 
any  network  user  who  has  access  to  the  ciphertext  during 
transmission  can  access  details  of  the  policy.  Attackers  can 
deduce  the  sensitivity  of  the  message  as  well  as  inferring 
the  role  of  those  who  are  involved  in  the  message  trans¬ 
mission.  Eor  example,  a  message  encrypted  with  the  policy 
{Dean}  AND  {University President}  is  definitely  more 
important  than  one  with  policy  {F acuity}  AN D  {Student} . 
Thus,  attackers  can  identify  those  high-value  users  and  con¬ 
centrate  on  attack  these  targets. 

What  needs  to  change  to  CP-ABE  is  to  hide  the  policy 
into  the  ciphertext.  Eor  this  purpose,  several  works[10,  13] 
have  made  pretty  good  progresses.  An  attacker  cannot  get  any 
information  about  the  policy  even  if  it  actually  executes  the 
decryption  process.  But  these  solutions  sacrifice  efficiency  to 
security  in  that  any  party  that  tries  to  decrypt  the  ciphertext 
will  have  to  go  through  the  entire  decryption  process  which 
involves  a  heavy  computation  overhead. 

To  make  those  unsatisfactory  users  realize  their  ineligibility 
as  soon  as  possible  to  save  computation  resources,  D.  Huang  et 
al.  proposed  a  scheme[14]  to  expose  the  policy  attributes  step 
by  step.  Only  one  attribute  is  exposed  to  the  decryptor  at  one 
step.  In  this  way,  the  decrypter  is  able  to  stop  the  decryption 
process  as  soon  as  it  fails  at  one  step.  But  the  price  for  this 
ability  is  that  one  additional  attribute,  which  is  the  one  that 
fails  the  decrypter,  is  exposed.  Besides,  this  approach  does  not 
support  OR-gates  which  limits  the  flexibility  of  the  policy. 

III.  Models  and  Preliminaries 

In  this  section,  we  present  a  basic  ICN  framework  model 
and  the  corresponding  security  model. 

A.  ICN  framework  model 

The  content  in  an  ICN  system  consists  of  at  least  two  parts: 
the  data  to  be  transferred  and  some  meta-data.  The  data  part 
of  the  content  can  be  any  file,  like  a  text  or  a  picture,  or  a 
chunk  of  a  file.  The  meta-data  part  contains  authenticity  and 
integrity  related  information. 

In  a  typical  ICN  system,  there  are  three  main  roles  of 
network  entities:  content  owner,  content  consumer  and  content 
cache.  A  content  owner  may  not  be  the  one  who  creates  the 


content  but  it  fully  possesses  the  ownership  of  the  content. 
A  consumer  is  a  network  entity  that  requests  the  content.  It 
needs  to  get  the  content  from  the  network  with  the  help  of  the 
ICN  infrastructure.  A  cache  is  an  entity  that  is  willing  to  hold 
a  copy  of  the  content  for  a  period  of  time  in  its  own  local 
storage  for  some  reasons  so  that  whenever  a  request  for  the 
content  arrives,  it  responds  with  a  copy  of  the  content  to  the 
consumer.  All  these  three  network  roles  are  exchangeable  for 
individual  network  entities.  That  is  to  say,  an  entity  could  be 
the  owner,  a  cache  and  a  consumer  for  different  contents  at 
the  same  time  (Eigure  1). 


The  ICN  system  consists  at  least  two  components:  a  Name 
Publishing  (NP)  system  and  a  Name-based  Routing  (NR) 
system.  The  NP  is  in  charge  of  publishing  the  content  names. 
The  NR  is  able  to  retrieve  the  content  based  on  its  network 
name.  Details  on  how  these  two  systems  are  realized  will 
not  be  illustrated  in  this  paper  since  it  is  not  the  focus  of 
the  work.  Interested  reader  can  refer  to  [2],  [3],  and  [1]  for 
more  information.  In  addition  to  these  basic  parts,  our  scheme 
includes  a  TTP  which  is  trusted  to  the  entire  network.  The 
TTP  is  in  charge  of  setting  up  ABE-related  global  parameters 
for  the  network.  It  also  helps  assigning  attributes  to  individual 
entities. 

An  attribute  could  be  any  label  that  is  used  to  identify  a 
person  or  an  entity.  In  the  proposed  scheme,  every  network 
entity  is  associated  with  a  unique  identifier  (UID)  and  a  set 
of  attributes.  Here,  UID  itself  can  be  treated  as  a  special 
attribute.  Attributes  (other  than  UIDs)  can  be  defined  and 
managed  by  any  entity  in  network.  But  the  definition  and 
management  process  on  an  attribute  should  be  carried  out  by 
the  same  entity.  This  entity  is  denoted  as  the  authority  of  the 
attribute. 

Before  any  entity  creates  a  content,  the  TTP  needs  to  set  up 
global  parameters  for  the  entire  ICN  system.  After  that,  any 
entity  in  the  network  can  create  attributes  and  assign  them  to 
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anyone  interested  in  them.  Detailed  process  on  how  attributes 
are  distributed  is  out  of  the  scope  of  this  work.  Interested 
reader  can  refer  to  allocation  problem  solutions  such  as  [15]. 
At  this  phrase,  entities  are  good  to  create  contents. 

When  an  entity  needs  to  publish  a  file,  as  the  content 
owner,  it  needs  to  set  up  an  access  policy  for  its  content 
before  publishing  it.  The  policy  is  represented  as  a  com¬ 
bination  of  related  attributes  with  AND  and  OR  gates.  For 
example,  if  a  content  owner  wants  to  create  a  file  that  should 
be  accessible  only  to  people  working  at  the  HR  and  the 
R&zD  departments  of  a  company  A,  then  the  policy  could  be 
{A}  AND  {{HR}  OR  {R&zD}}.  In  this  way,  the  owner  does 
not  need  to  know  explicitly  who  should  access  the  content.  All 
it  needs  to  is  to  identify  the  attributes  and  the  combination  so 
that  as  long  as  a  consumer  satisfies  the  policy,  it  is  able  to 
access  the  content.  Any  entity  who  does  not  satisfy  the  policy 
will  not  be  able  to  access  the  file  in  this  content. 

After  that,  the  owner  generates  a  random  symmetric  key  and 
uses  this  key  to  encrypt  the  file  to  be  published.  The  encryption 
result  is  set  as  the  data  part  of  the  content.  Then  the  owner 
creates  a  name  for  the  content.  It  uses  our  scheme  to  encrypt 
the  random  key  with  the  policy  it  has  already  specified.  The 
result  of  this  process  is  used  as  the  real  name  of  the  content. 
Here  we  need  to  emphasize  that  the  real  name  generated  using 
our  scheme  hides  the  content  access  policies  so  that  no  one 
can  get  the  entire  policy  from  the  name.  The  network  name, 
which  is  used  for  the  ICN  system  to  retrieve  the  content,  is 
the  hash  value  of  the  real  name.  The  owner  then  publishes  the 
real  name  and  the  network  name  of  the  content  into  the  ICN 
system.  This  process  is  depicted  in  Figure  2. 
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Figure  2:  Creating  a  Content 


A  consumer  who  needs  this  file  can  get  the  real  name  of 
the  corresponding  content  through  the  NP  system.  Before  it 
uses  the  NR  system  to  get  the  content,  it  uses  its  attributes  to 
decrypt  the  real  name.  If  its  attributes  satisfy  the  hidden  policy 
in  the  real  name,  then  it  can  get  the  random  symmetric  key 
protected  in  the  name.  Also,  it  generates  the  network  name  and 
uses  it  to  get  the  content  through  the  NP  system.  The  data  of 
the  content  then  can  be  decoded  using  the  random  key  to  get 
the  original  file.  If  a  consumer  cannot  successfully  decrypt  the 
real  name  of  the  content,  then  it  means  the  consumer  is  not 
allowed  to  access  the  original  file.  Thus,  even  if  it  downloads 
the  content  using  the  network  name,  it  still  does  not  have  the 
random  key  to  decode  the  data. 

In  the  example  of  Figure  1,  there  are  two  attributes  Attrl  and 
Attr2  managed  by  Authority  1  and  Authority  2  respectively. 


The  content  owner  creates  a  policy  {Attr2}  to  the  content 
published.  The  content  is  published  into  the  network  and  two 
consumers  are  willing  to  get  the  content.  When  Consumer  1 
gets  the  real  name  of  the  content,  it  discovers  that  its  attribute 
Attrl  could  not  decode  the  name.  Thus,  Consumer  1  knows 
that  the  content  is  not  intended  for  it.  When  Consumer  2  gets 
the  real  name,  it  can  successfully  decrypt  the  name.  Thus, 
it  generates  the  network  name  of  the  content  and  using  the 
Name-based  Routing  system  to  download  the  content  and  uses 
the  random  key  it  gets  from  the  real  name  to  decrypt  the 
data  part  of  the  content.  Through  this  figure,  we  can  see  that 
Consumer  2  also  acts  as  the  authority  of  Attr2.  A  network 
entity  can  be  a  Content  Owner,  a  Content  Consumer,  a  Content 
Cache  and  an  authority  at  the  same  time. 

B.  Attack  model 

In  order  to  guarantee  the  integrity  of  content,  a  digital  digest 
signed  by  the  owner  is  included  in  the  content  meta-data.  Since 
data  integrity  is  not  the  focus  of  this  paper,  we  will  not  provide 
detailed  information  on  this  issue. 

In  the  following  of  this  paper,  we  assume  that  the  attackers 
have  two  goals  to  achieve  in  compromising  the  access  control 
scheme:  (1)  acquiring  unauthorized  privilege  to  the  data;  (2) 
retrieving  constitutional  information  of  access  policies  so  as 
to  gain  more  information  about  the  content,  the  content  owner 
and  the  consumers.  The  information  includes  but  is  not  limit 
to  the  identity  of  the  owner  or  consumers,  the  sensitivity  of  the 
content  and  the  potential  value  of  data  in  the  content.  For  the 
first  goal,  the  attackers  will  have  to  break  the  confidentiality 
mechanism  of  the  protected  data.  Possible  methods  include 
exploiting  vulnerabilities  within  the  protection  functionality 
of  the  content.  For  the  second  goal,  which  could  be  treated 
secondary  to  the  first  one,  attackers  will  have  to  analyze  the 
ABE-based  scheme  we  propose  in  this  paper  so  as  to  identify 
possible  ways  to  reveal  the  policy.  In  order  to  illustrate  our 
scheme  step  by  step,  we  firstly  introduce  basics  about  CP-ABE 
which  is  the  origin  of  our  proposed  scheme. 

C.  Preliminaries  of  CP-ABE 

The  foundation  of  CP-ABE  is  bilinear  pairing  computation. 
Let’s  assume  there  are  two  groups:  an  additive  group  Go  and  a 
multiplicative  group  Gi.  They  share  a  same  large  prime  order 
p.  Discrete  Logarithm  Problem  is  difficult  in  both  of  them.  We 
define  a  bilinear  map  e  :  Go  x  Gq  Gi.  This  map  has  three 
properties: 

•  Bilinearity:  e{aP,  bQ)  =  e(P,  QY^,  for  any  P,  Q  €  Go 
and  a,  6  € 

•  Nondegeneracy:  e{g,g)  f  1,  where  g  is  the  generator  of 
Go; 

•  Efficiency:  Computing  the  pairing  can  be  efficiently 
achieved. 

In  CP-ABE,  there  are  three  types  of  keys:  master  key,  public 
key  and  private  key.  A  TTP  is  required  to  generate  a  set  of 
public  parameters  and  securely  store  the  master  key.  The  TTP 
will  not  be  involved  in  the  network  communication.  It  can  be 
offline  all  the  time.  The  scheme  of  CP-ABE  consists  of  four 
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Table  I:  Notations 


Terms 

Meaning 

Go 

a  bilinear  group  with  a  prime  order  p 

Gi 

a  multiplicative  group  with  the  same  prime  order  p 

e(-) 

a  bilinear  map  e  :  Go  x  Go  Gi 

ROOT 

a  global  constant  value  ROOT  G  Gi  as  identification 
of  the  secret  message  protected  with  the  policy 

Enck{-) 

Decfc(-) 

a  symmetric  encryption  algorithm  Enck{-)  and  the 
corresponding  decryption  algorithm  Decfc(-)  in  Gi 

encryption 

sequence 

the  sequence  of  attributes  in  a  conjunctive  clause  in 
encryption 

decryption 

sequence 

the  sequence  of  attributes  in  a  conjunctive  clause  in 
decryption 

Ai  or  A„ 

an  attribute,  Ai  is  used  for  denoting  an  individual  att- 
-ribute.  An  denotes  the  n-th  attribute  in  a  sequence 

Apub 

a  public  attribute  shared  among  all  the  network  nodes, 
the  corresponding  values  stored  at  each  node  are 

i^Pub^  Tpub)^  ^Pub  £  ^p^Tpub  e  Go 

basic  algorithms;  Setup,  Encrypt,  KeyGen  and  Decrypt.  In 
Setup,  the  TTP  chooses  two  random  exponents  a,P  G  Zp.  A 
public  key  is  formatted  as  <  Gq,  g,h,  f,e{g,  >  while  the 
master  key  is  (/3,  g°‘).  Here  h  =  g^,  f  =  g^  ■  The  public  key  is 
published  by  the  TTP  before  deployment.  When  a  party  wants 
to  encrypt  a  message  M,  it  runs  the  Encrypt  algorithm.  The 
inputs  of  this  algorithm  are  the  public  key,  the  message  M 
and  a  policy  tree  T.  The  output  is  a  ciphertext.  The  KeyGen 
algorithm  is  used  to  generate  private  keys  based  on  its  inputs: 
the  master  key  and  a  set  of  attributes.  For  each  network  node, 
the  TTP  runs  the  KeyGen  algorithm  once  to  generate  a  private 
key  according  to  attributes  assigned  to  that  node.  When  a  node 
receives  the  ciphertext,  it  runs  the  Decrypt  algorithm  to  get 
the  encrypted  data.  This  algorithm  takes  the  ciphertext  and  the 
node’s  private  keys  as  inputs. 

IV.  ABE-based  ICN  Naming  Scheme 

In  this  section,  we  illustrate  our  ABE-based  naming  scheme 
for  ICN  network.  This  scheme  is  based  on  previous  ABE 
algorithms  [9]  [14].  Since  it  is  tightly  related  to  attributes, 
random  symmetric  keys  and  attribute  keys,  we  will  illustrate 
the  management  of  these  factors  as  well.  Before  introducing 
details  of  our  scheme,  we  provide  a  summary  of  notations  in 
Table  I. 

A.  ABE-based  Naming  Scheme 

!!!!!! 

Attributes  of  an  entity  can  be  any  value  in  strings.  In  CP- 
ABE,  these  values  are  converted  into  mathematical  values 
with  hash  functions.  In  our  scheme,  each  attribute  string  Ai 
corresponds  to  a  triplet  {Ti,Ii,ki).  The  map  from  a  string  to 
such  a  triplet  is  not  defined  by  hash  functions  but  determined 
by  the  authority  of  Ai.  An  access  policy  can  be  expressed 
in  Disjunctive  Normal  Eorm  (DNE)  of  attributes.  In  each 
conjunctive  clause  of  the  DNE,  the  sequence  of  attributes 
is  enforced  by  the  encryptor.  The  sequence  of  encrypting  a 


conjunctive  clause  is  opposite  to  the  sequence  of  decryption. 
We  name  the  sequence  of  encrypting  a  clause  as  encryption 
sequence  and  the  opposite  sequence  as  decryption  sequence. 
We  define  a  public  attribute  Ap^t  in  our  scheme.  Unlike 
other  attributes,  Apub  is  associated  with  an  ordered  pair 
(Tpubj  Ipub)-  For  each  conjunctive  clause,  the  encryptor  adds 
Apub  at  the  end  of  the  encryption  sequence.  Also,  the  encryp¬ 
tor  is  required  to  simplify  the  DNE  so  as  to  reduce  the  size 
of  attribute  policy. 

In  this  scheme,  a  GlobalSetup  algorithm  is  run  by  a  TTP 
to  generate  global  parameters  for  the  system.  Eor  each  node 
joining  in  the  network,  the  TTP  runs  Node  Join  algorithm 
once  to  generate  a  unique  secret  for  the  node.  The  input  of 
NodeJoin  is  the  node’s  UID  while  the  outputs  are  {Duip, 
Xpub.uiD,  Ypub,  Zpub.uio} ■  For  each  attribute,  the  authority 
in  charge  runs  an  AuthoritySetup  algorithm  to  generate 
secrets  associated  with  that  attribute.  Besides,  our  scheme 
includes  other  four  basic  algorithms:  KeyGen,  Encrypt,  De¬ 
crypt  and  Hash.  The  Encrypt  algorithm  will  generate  results 
in  three  different  algeobraic  structures.  The  Hash  algorithm 
is  used  to  convert  the  results  of  Encrypt  in  each  algeobraic 
structure  into  one  element  so  that  the  final  result  is  a  triplet 
with  each  element  coming  from  one  algeobraic  structure.  Since 
this  requirement  can  be  fulfilled  by  any  algeobraic  operation 
in  the  corresponding  structure,  we  will  not  provide  details  of 
this  algorithm. 

The  GlobalSetup  algorithm  and  NodeJoin  algorithm  are 
defined  as  in  Algorithm  1  and  Algorithm  2. 


Algorithm  1  GlobalSetup 

1:  Choose  a  bilinear  group  Gq  with  a  prime  order  p.  p  is 
large  enough,  g  is  the  generator  of  Go; 

2:  Choose  two  random  values  a,/3  G 

3:  Publicly  define  a  global  constant  value  ROOT  G  Gi  as 
identification  of  the  secret  message; 

4:  Publicly  choose  a  symmetric  encryption  algorithm 
Enck{  )  and  the  corresponding  decryption  algorithm 
Deck{-)  in  Gi; 

5:  Define  and  publish  a  public  attribute  shared  among  the 
network  nodes,  {Spub,Tpub),  Spub  G  'Lp.Tpub  G  Gq; 

6:  The  global  parameters  are  (Go,  g,  g^,  e(p,  (/)“,  Enck{-), 
Deck{-),  {SpubjTpub),  ROOT},  global  secrets  are  {/3, 


Each  individual  authority  that  manages  an  attribute  Ai  will 
have  to  run  Algorithm  3  to  set  up  attribute  secrets. 

The  KeyGen  algorithm  generates  the  private  keys  corre¬ 
sponding  to  each  attribute  for  each  node  holding  this  attribute. 
It  is  a  cooperative  algorithm  between  an  authority  and  the  TTP 
which  is  defined  in  Algorithm  4. 

The  Encrypt  algorithm  works  like  this:  following  the  en¬ 
cryption  sequence  of  each  conjunctive  clause,  denote  each 
attribute  from  G  to  7^,  m  is  the  number  of  attributes  in 
the  clause.  Choose  a  random  value  s  G  Zp  and  set  /q  =  s. 
Given  such  a  clause,  the  encryption  process  on  message  Sk 
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Algorithm  2  Node  Join 

1:  For  each  node  with  U ID  joining  in  the  network,  generate 
a  random  number  ruiD  €  Zp  and  store  it  securely; 

2:  Calculate  and  assign  Djjjo  =  gi°‘+'^uiD)IP  the  node; 
3:  Calculate  and  assign  to  the  node: 

Xpub,uiD  = 

ypub=3"^'^\ 

Zpub,uiD  = 

where  rp^b  €  Zp  is  a  random  number  for  each  node; 

4:  Assign  to  the  node  {Dpip,  Xpub,uiD,  Xpub,  Zp^h^mp}. 


Algorithm  3  AuthoritySetup 

1:  For  each  attribute  Ai,  choose  two  random  numbers  Ii,ki  G 

Zp; 

2:  For  each  attribute  Ap  choose  one  random  value  Ti  G  Gq. 


goes  as  shown  in  Algorithm  5.  A  complete  encryption  process 
includes  such  a  process  for  every  clause  but  the  overlapping 
parts  of  clauses.  For  example,  given  a  policy  {A  AND  B  AND 
C}  or  {A  AND  B  AND  D},  A,  B,  C,  D  are  four  attributes, 
the  simplified  form  is  {A  AND  B}  AND  {C  OR  D}.  The 
encryptor  can  encrypt  { A  AND  B  AND  C }  first  and  then  use 
the  results  for  {A  AND  B}  to  finish  {A  AND  B  AND  D}  = 
{A  AND  B}  AND  {D}. 

The  Decrypt  algorithm  works  in  the  decryption  sequence. 
Note  that  the  first  attribute  in  decryption  sequence  is  always 
A  Pub-  The  decrypter  follows  Algorithm  6  to  conduct  decryp¬ 
tion. 

When  Decrypt  algorithm  succeeds,  Sk  is  the  group  session 
key  embedded  in  C. 

B.  Apply  ABE-based  Naming  Scheme  in  ICN 

With  the  above  proposed  ABE-based  Naming  scheme,  we 
can  achieve  the  following  abilities: 

•  Specifying  the  access  control  policy  without  knowing  the 
consumers’  keys; 


Algorithm  4  KeyGen 

1:  For  each  attribute  Ai  assigned  for  node  with  UID,  the 
authority  passes  UID,  U  and  Ti  to  TTP; 

2:  TTP  computes  and  sends  back  to  the  authority: 

X,,uid=9^^^^T[\ 

Y  =  9^', 

Zi,uiD  =  e{g,gY'^‘°^\ 

where  G  Zp  is  a  random  number; 

3:  The  authority  assigns  Xi^jjjp,  Yi  and  Zi^ujp  to  the  node 
together  with  Ti,  U  and  ki. 


Algorithm  5  Encrypt 

1:  Calculate  C  =  Ske{g,gY\  C  =  and  C”  = 
EncsYROOT)- 

2:  Start  from  the  beginning  of  the  clause  in  encryption 
sequence; 

3:  Eor  each  attribute  A„,  if  a  triplet  (Ci  C'2,„,  Ca  „)  has 
already  been  calculated,  move  to  the  next  attribute  A^+i 
and  restart  step  3  with  An+i,  else,  goto  step  4; 

4:  Choose  a  random  number  tn  &  T^p', 

5:  Calculate: 

_  JT-i-iAtu 

_  pUn.-l—Ini'tn 

^2,n  —  J-n  I 

T^3,n  —  {krdn) 

1  <  n  <  m; 

6:  Calculate  C2.,„+i  = 


Algorithm  6  Decrypt 
1:  Start  from  the  public  attribute  Apub', 

2:  Eor  each  attribute  that  the  decrypter  possesses,  com¬ 
pute: 

Zn,UIDi„„  ■  e{Xu,UIDa^„, 

e{YuAC2,nY^C,,u) 

3:  If  is  one  of  the  decrypter’s  private 

keys,  then  go  to  step  2  with  attribute  A„_i;  else  go  to 
step  4; 

4:  Calculate 

if  Decs^  (G")  ==  ROOT,  Success;  else  Failure. 


•  Eull  preservation  of  the  policy  confidentiality  from  leak¬ 
ing  to  adversaries; 

•  Step-by-step  attribute  exposure  for  consumers  to  deter¬ 
mine  their  eligibility  efficiently  in  computation; 

•  Elexible  attribute  management. 

C.  Attribute  Key  Update 
!!!!!! 

In  addition  to  the  basic  ICN  related  functions,  it  is  necessary 
to  provide  a  key  update  function  for  attribute  keys.  The  reason 
is  that  when  a  new  entity  joins  in  the  network  after  the  initial 
setup,  it  may  be  desirable  to  make  sure  previous  contents  are 
unavailable.  Also,  it  may  be  true  that  a  certain  entity  needs  to 
be  deprived  of  an  attribute  for  reasons  like  dishonest  behaviors. 
In  such  situations,  a  key  update  algorithm  is  needed  for  the 
attribute  keys.  This  algorithm  is  given  in  Algorithm  7. 
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Algorithm  7  KeyUpdate 

1:  For  attribute  Ai,  choose  two  random  values  Aki  G 
2:  Encrypt  I'  and  Aki  for  each  intended  node  (7/L)  that  has 
attribute  Ai  using  the  node’s  UIL)  as  the  policy; 

3:  Each  node  updates  its  keys  as 
k'i  =  ki  +  Aki. 


V.  Analysis  and  Evaluation 

In  this  section,  the  ABE-based  naming  scheme  is  evaluated 
from  performance  and  security  aspects.  Eor  performance,  we 
analyze  its  computation  consumption  and  its  communication 
(and  storage)  overhead.  The  computation  consumtion  analysis 
is  carried  out  by  comparing  the  proposed  scheme  with  existing 
ABE  schemes.  The  communication  comparison  is  carried  out 
on  both  the  content  name  and  the  content  itself  respectively 
since  they  both  are  transferred  in  the  network.  Eor  security 
issues,  we  prove  the  security  strength  of  our  ABE-based 
naming  scheme  according  to  the  attack  model  in  Section  III-B. 

A.  Performance  Analysis 

Erom  performance  perspective,  we  are  more  concerned  with 
the  time  consumption  for  a  consumer  to  decode  the  content’s 
real  name.  Therefore,  we  will  calculate  the  time  it  takes  for  the 
decryption  process.  We  treat  our  algorithm  as  an  encryption 
algorithm  when  testing  the  time  consumption.  Thus,  a  com¬ 
parison  on  the  computation  overhead  of  the  proposed  scheme 
with  CP- ABE  [9],  CN  scheme  [16],  NYO  scheme  (the  2nd 
construction  in  [13])  ,  YRL  scheme  [10]  and  GIE  scheme 
[14]  is  carried  out.  The  idea  is  to  compare  the  number  of 
time-consuming  operations  needed  in  each  scheme. 

We  use  a  Dell  D630  laptop  (Intel  Core2  Duo  T8100 
processor  2.10GHz,  1GB  memory)  with  Ubuntu  10.04  for 
experiment.  A  Type  A  pairing  with  the  help  of  PBC  Library 
[17]  is  set  up.  We  test  every  operation  for  fifty  times  and 
choose  the  average  value  as  basics  for  our  comparison.  Results 
of  our  experiment  (Table  II)  show  that  pairing  operation  takes 
longer  than  any  other  operations.Therefore,  our  comparasion 
metric  is  set  to  be  the  number  of  pairing  operations  in 
decryption  process. 


Table  II:  Different  operations’  time-consumption  (in  millisec¬ 
onds) 


Operation 

Pairing 

Exponentiation 

Multiplication 

Inversion 

Time 

4.574 

0.088 

0.016 

0.038 

Eollowing  the  above-mentioned  idea,  we  use  Nattr  to  denote 
the  number  of  attributes  a  consumer  has.  We  assume  that 
the  total  number  of  attributes  defined  in  the  network  is 
Nall-  Since  the  policy  is  publicly  known  in  CP-ABE  and 
CN,  decrypters  are  able  to  decide  what  attributes  to  use  in 
decryption.  Therefore,  for  those  who  satisfy  the  policy,  the 
time  costed  for  decryption  is  proportional  to  the  number  of 
attributes  involved,  which  is  denoted  as  Ninvo,  Ninvo  ^  Nattr- 
It  is  obcious  that  for  the  unauthentic  decrypters,  it  takes  0 


Table  III:  Comparison  of  computation  cost  in  decryption 


Scheme 

Anonymity  Supp 

CP-ABE 

No 

CN 

No 

CN  from  Naii  +  1  to  Npath  +  need  to  redraw  the  figures!!!!!! 

NYO 

Yes 

YRL 

Yes 

GIE 

Yes 

Proposed 

Yes 

in  time  since  the  decrypter  would  halt  the  decryption.  An 
unauthentic  decrypter  in  GIE  and  our  scheme  is  not  able  to 
proceed  with  the  decryption  process  if  it  cannot  meet  the 
next  attribute.  In  this  situation,  we  use  Npart  to  denote  the 
number  of  attributes  that  the  consumer  has  already  decrypted, 
where  Npart  ^  Ninvo-  Since  OR-gate  is  not  widely  supported 
by  all  the  ABE-schemes  we  mentioned  before,  we  test  the 
performance  with  policys  consisting  attributes  and  AND-gates 
only.  The  result  of  our  test  is  shown  in  Table  III.  We  need 
to  point  out  here  that  in  real  world,  Naii  is  far  larger  than 
Nattr-  Therefore,  CN  scheme  has  the  largest  cost.  Among  all 
the  anonymity  schemes,  GIE  and  our  scheme  cost  less  than 
NYO  and  YRL.  As  a  matter  of  fact,  the  cost  of  our  scheme 
is  around  2  thirds  of  that  of  GIE. 

The  relationship  between  time  consumption  and  different 
values  of  Naii,  Nattr  and  Ninvo  is  illustrated  in  Eigures  3  to 
4.  We  do  not  provide  the  relationship  with  Npart  because  the 
trend  is  very  close  to  that  with  Ninvo-  All  these  figures  are 
generated  by  changing  one  value  among  Naii,  Nattr  and  Ninvo 
while  keeping  the  other  values  constant.  Erom  these  figures,  it 
is  clear  that  when  Naii  or  Nattr  changes,  the  performance  of 
our  proposed  scheme  does  not  get  influenced.  The  performance 
under  these  two  scenarios  is  the  same  as  that  of  CP-ABE  which 
are  the  lowest  two  schemes  in  time  consumption.  This  is  also 
applicable  to  Ninvo  when  Ninvo  is  less  than  a  certain  value, 
8  in  this  specific  setting.  When  Ninvo  gets  greater  than  the 
threshold,  CN  scheme  becomes  the  most  efficient  one.  This  is 
because  CN  scheme  uses  all  the  attributes  a  decrypter  has  for 
decryption.  The  fact  that  the  number  of  pairings  is  only  Naii 
plus  1,  which  is  not  sensitive  to  Ninvo-  Similar  reasons  could 
also  explain  why  the  performances  of  NYO  and  YRL  do  not 
change  in  the  same  setting. 


To  evaluate  the  communication  costs,  we  compare  the  size 
of  the  network  name  and  the  size  of  the  content  itself.  The 
purpose  to  compare  the  network  name  is  to  make  sure  that 
the  names  generated  by  our  scheme  does  not  consume  much 
more  storage  space  than  existing  solutions.  The  size  of  the 
network  name  is  determined  by  the  size  of  the  hash  algorithm 
outputs.  In  PBC  library[17],  a  data  structure  element_t  is  used 
to  represent  an  element  in  an  algebraic  structure.  The  size  of 
this  structure  is  8  bytes.  Thus,  for  our  scheme,  we  need  24 
bytes  to  store  the  network  name.  Compared  with  this  name 


Figure  3:  Nattr  v.s.  Time  Consumption 


Figure  4 

Ninvo  v.s.  Time  Consumption 

Table  IV 

:  Comparison  of  ciphertext  size 

Scheme 

Ciphertext  Size 

CP-ABE 

IGi  +  {2Nciph  +  l)Go 

CN 

iGi  +  {Nall  +  l)Go 

NYO 

^  IGi  +  {2Naii  +  l)Go 

YRL 

iGi  +  {3Naii  +  2)Go 

GIE 

Nciph^i  +  ^Nciph^o 

Proposed 

iGi  +  i^Nciph  +  4)Go  +  Nciph^p 

size,  a  content  in  CBCB[1]  is  identified  by  a  set  of  attributes 
with  corresponding  values.  The  size  of  this  attribute  set  is 
determined  by  the  content  owners.  Thus,  we  can  model  the 
names  as  a  hunman-readable  string  of  an  undetermined  size. 
NDN[3]  shares  a  similar  problem  with  the  name  size  since 
the  names  in  NDN  also  consists  of  a  number  of  human- 
readable  strings.  As  mentioned  before,  DONA[2],  Netlnf[4] 
and  PURSUIT[5]  share  the  same  naming  scheme.  Therefore, 
we  only  use  the  size  of  DONA’s  name  for  comparison.  In  [2], 
the  size  of  the  name  is  confined  to  40  bytes  in  its  protocol 
header.  Thus,  the  network  name  size  in  our  scheme  is  small 
enough  for  ICN  usage. 

The  content  size  of  different  naming  schemes  differs  de¬ 
pending  on  the  way  a  content  is  structured.  However,  the  basic 
component  are  the  same.  That  is  a  digest  and  the  data  of 
content.  To  this  end,  there  is  not  much  difference  between 
the  proposed  scheme  with  existing  schemes  in  content  size. 

B.  Security  Analysis 

!!!!! 

We  analyze  security  performance  of  our  scheme  based  on 
the  attack  model  provided  in  Section  III-B.  In  the  following, 
we  give  sketches  to  prove  that  the  security  strength  of  our 
algorithm  is  no  weaker  than  CP-ABE.  Therefore,  it  is  im¬ 
possible  for  an  attacker  to  retrieve  the  session  key  without 
satisfactory  attributes.  We  also  prove  that  attackers  cannot 
gain  more  information  from  collusion  attack.  Furthermore,  an 
attacker  cannot  confirm  an  attribute  in  decryption  process  if 
he  does  not  own  the  attribute.  Finally,  the  proposed  scheme  is 


able  to  guarantee  forward  and  backward  secrecy. 

Theorem  1:  The  cryptographic  strength  of  the  proposed 
scheme  is  as  good  as  that  of  CP-ABE  scheme. 

Proof  Sketch:  To  prove  this  theorem,  we  need  to  prove 
that  the  changed  components  in  ciphertext  do  not  reduce  the 
security  of  the  proposed  scheme.  There  are  two  differences 
between  the  proposed  scheme  and  CP-ABE  in  ciphertext.  The 
first  one  is  the  choice  of  exponents  in  Ci  „  and  (72, „  for  each 
attribute  In  CP-ABE,  the  exponent,  qy(0),  is  equal  to  the 
y-axis  coordinate  of  a  random  point  on  a  polynomial  chosen 
for  the  attribute.  In  the  proposed  scheme,  this  value  is  (/„_i  — 
In)tn  which  is  the  difference  between  the  current  attribute 
secret  /„  and  its  parent  attribute  secret  In-i  multiplied  by 
a  random  value  Both  exponents  in  the  proposed  scheme 
and  CP-ABE  are  randomized  so  that  an  attacker  cannot  gain 
any  useful  information  from  the  distribution  of  the  content 
names.  Then  assume  an  attacker  is  able  to  deduce  the  values 
of  (/„_i  —  In)tn,  1  ^  n  ^  m+1,  using  a  certain  method,  this 
attacker  still  cannot  get  the  value  of  (/„_i  — /„)  nor  s  since  he 
has  no  knowledge  of  tn-  However,  if  this  method  works,  it  can 
also  be  applied  to  deducing  the  exponent  in  CP-ABE,  which 
eventually  leads  to  the  leak  of  s  using  Lagrange  polynomial 
interpolation. 

The  other  difference  is  that  there  is  an  additional  ciphertext 
173, „  for  each  attribute  in  the  proposed  scheme.  If  an  attacker 
is  able  to  retrieve  the  random  value  f„,  he  is  able  to  get  the 
values  Tn^~^  and  kn-  But  he  cannot  find  any 

useful  information  if  he  does  not  possess  the  secret  information 
Tn  and  /„  associated  with  attribute  A„.  ■ 

Theorem  2:  The  proposed  scheme  is  secure  against  collu¬ 
sion  attack. 

Proof  Sketch:  The  proposed  scheme  guarantees  the  unique¬ 
ness  of  intermediate  decryption  results  for  each  consumer. 
That  is  in  NodeJoin  algorithm,  the  random  value  rjji chosen 
for  each  entity  is  different  and  unique.  If  attackers  combine 
their  keys  together  to  decrypt  the  same  policy,  the  intermediate 
results  they  can  get  are  in  the  form  of  e(p,  which 

are  different  between  the  attackers.  Furthermore,  the  difficulty 
for  an  attacker  (UID)  to  convert  his  intermediate  result  to 
the  result  of  another  entity  (UID')  equals  to  the  difficulty  to 
get  the  value  rjjiD'  /fuiD  which  is  only  known  to  the  TTP 
Thus,  attackers  cannot  correctly  recover  either  the  intermediate 
results  or  the  secret  message  Sk  from  collusion.  ■ 

In  GIE,  when  a  decrypter  successfully  decrypts  ciphertext 
corresponding  to  one  attribute,  it  is  able  to  know  what  the  next 
attribute  is  for  continuing  the  decryption  process.  Attackers 
can  exploit  such  knowledge  to  infer  or  deduce  more  informa¬ 
tion  about  the  targets.  In  the  proposed  scheme,  this  problem  is 
solved  so  that  the  attacker  cannot  tell  what  the  next  attribute 
is  if  it  does  not  own  this  attribute. 

Theorem  3:  An  attacker  cannot  confirm  attributes  other  than 
his  own  in  decryption  process. 

Proof  Sketch:  The  decryption  process  in  the  proposed 
scheme  is  conducted  attribute  by  attribute.  A  decrypter  is 
able  to  confirm  his  ownership  of  the  next  attribute  if  he 
successfully  decrypts  the  current  one.  But  he  is  unable  to  gain 
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any  knowledge  about  the  next  attribute  if  he  does  not  own 
that  attribute.  In  fact,  when  an  attacker  successfully  decrypts 
along  the  decryption  path  to  an  attribute  An,  he  is  able  to  get 
the  value  e((/,  He  can  also  get 

from  Zn,uiD  and  However,  due  to  the  difficulty  of  Discrete 
Logarithm  Problem,  the  attacker  is  not  able  to  deduce  /„_i. 
■ 

Theorem  4:  The  proposed  scheme  guarantees  forward  and 
backward  secrecy. 

Proof  Sketch:  To  maintain  forward  and  backward  secrecy 
for  each  communication  group,  the  group  session  key  needs 
to  be  updated  by  encrypting  and  distributing  the  new  session 
key  using  our  scheme.  In  addition  to  group  communication 
secrecy,  it  is  necessary  to  guarantee  the  forward  and  backward 
secrecy  for  each  attribute  key.  If  an  entity  is  assigned  with  an 
attribute  An  after  the  network  setup,  it  is  assigned  with  the 
updated  key  corresponding  to  this  attribute,  i.e.  Z'^  = 

iZn,uiD)^"^^" ,  k'n  =  kn  +  Akn-  The  entity  is  not  able  to 
decrypt  previous  communications  using  this  attribute  with  its 
current  keys.  This  is  because  all  the  elements  in  its  key  are 
updated  to  new  values  except  for  T„.  Without  the  knowledge 
of  In,  the  attacker  cannot  conduct  any  attacks  as  discussed 
in  Theorem  1.  This  security  guarantee  is  also  applicable  to 
forward  secrecy.  But  for  forward  secrecy,  the  updated  keys  are 
distributed  with  the  proposed  scheme  to  all  the  nodes  except 
for  those  whose  attribute  is  revocated.  ■ 

VI.  Conclusion 

!!!!!! 

In  this  paper,  we  propose  a  novel  naming  scheme  for  ICN 
network.  This  scheme  is  based  on  a  new  design  of  ABE- 
based  algorithm.  The  content  names  are  protected  based  on 
attributes.  This  scheme  greatly  reduces  the  communication  and 
computation  overhead  compared  to  existing  ABE  solutions. 
Also,  this  scheme  is  designed  in  a  public-key  pattern,  making 
it  more  flexible  for  attribute  management.  Erom  security  and 
privacy  perspective,  this  scheme  achieves  a  security  level  as 
good  as  CP- ABE  but  with  protection  on  attribute  policies. 
It  guarantees  attribute  anonymity  with  no  attribute  exposure. 
Eorward  and  backward  secrecy  is  achieved  with  a  key  update 
mechanism.  Experiments  and  analysis  confirm  the  effective¬ 
ness  of  this  scheme. 
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